Intro History KATAN PRINTcipher Summary A Somewhat Historic View of Lightweight Cryptography Orr Dunkelman Department of Computer Science, University of Haifa Faculty of Mathematics and Computer Science Weizmann Institute of Science September 29th, 2011 Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 1/ 40 Intro History KATAN PRINTcipher Summary Outline 1 Introduction Lightweight Cryptography Lightweight Cryptography Primitives 2 The History of Designing Block Ciphers 3 The KATAN/KTANTAN Family The KATAN/KTANTAN Block Ciphers The Security of the KATAN/KTANTAN Family Attacks on the KTANTAN Family 4 The PRINTcipher The PRINTcipher Family Attacks on PRINTcipher 5 Future of Cryptanalysis for Lightweight Crypto Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 2/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Outline 1 Introduction Lightweight Cryptography Lightweight Cryptography Primitives 2 The History of Designing Block Ciphers 3 The KATAN/KTANTAN Family The KATAN/KTANTAN Block Ciphers The Security of the KATAN/KTANTAN Family Attacks on the KTANTAN Family 4 The PRINTcipher The PRINTcipher Family Attacks on PRINTcipher 5 Future of Cryptanalysis for Lightweight Crypto Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 3/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Lightweight Cryptography ◮ Targets constrained environments. ◮ Tries to reduce the computational efforts needed to obtain security. ◮ Optimization targets: size, power, energy, time, code size, RAM/ROM consumption, etc. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 4/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Lightweight Cryptography ◮ Targets constrained environments. ◮ Tries to reduce the computational efforts needed to obtain security. ◮ Optimization targets: size, power, energy, time, code size, RAM/ROM consumption, etc. Why now? Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 4/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Lightweight Cryptography is All Around Us ◮ Constrained environments today are different than constrained environments 10 years ago. ◮ Ubiquitous computing – RFID tags, sensor networks. ◮ Low-end devices (8-bit platforms). ◮ Stream ciphers do not enjoy the same “foundations” as block ciphers. ◮ Failure of previous solutions (KeeLoq, Mifare) to meet required security targets. ◮ Good research direction. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 5/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Some Lightweight Primitives Block Ciphers Stream Ciphers Hash Functions MACs HIGHT Grain H-PRESENT SQUASH mCrypton Trivium PHOTON DESL Mickey QUARK PRESENT F-FCSR-H Armadillo KATAN WG-7 Spongent KATANTAN PRINTcipher SEA Klein LBlock GOST Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 6/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Some Lightweight Primitives Block Ciphers Stream Ciphers Hash Functions MACs HIGHT Grain H-PRESENT SQUASH mCrypton Trivium PHOTON DESL Mickey QUARK PRESENT F-FCSR-H Armadillo KATAN WG-7 Spongent KTANTAN PRINTcipher SEA Klein LBlock GOST Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 6/ 40 Intro History KATAN PRINTcipher Summary Outline 1 Introduction Lightweight Cryptography Lightweight Cryptography Primitives 2 The History of Designing Block Ciphers 3 The KATAN/KTANTAN Family The KATAN/KTANTAN Block Ciphers The Security of the KATAN/KTANTAN Family Attacks on the KTANTAN Family 4 The PRINTcipher The PRINTcipher Family Attacks on PRINTcipher 5 Future of Cryptanalysis for Lightweight Crypto Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 7/ 40 Intro History KATAN PRINTcipher Summary Block Cipher Design in the 1970s ◮ First years of academic research in the field. ◮ Lucifer/DES (Feistel constructions). ◮ Bad diffusion properties. ◮ Analysis methods: Meet in the middle, avalanche criteria. ◮ Time-Memory tradeoff presented. ◮ Hellman-Merkle exhaustive search machine. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 8/ 40 Intro History KATAN PRINTcipher Summary Block Cipher Design/Analysis in the 1980s ◮ Linear factors, Linear syndrome/decoding, ◮ Strict avalanche criteria, ◮ Cycle analysis (DES is not a group), ◮ Non-randomness tests, ◮ Structure of S-boxes. ◮ Take DES and change something. ◮ FEAL. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 9/ 40 Intro History KATAN PRINTcipher Summary Block Cipher Design/Analysis in the 1990s ◮ Differential cryptanalysis [BS90]. ◮ Linear cryptanalysis [M92]. ◮ Related-key attacks [B93,K92]. ◮ IPES/IDEA [LM91,LM92]. ◮ Provable security against differential cryptanalysis/linear cryptanalysis: ◮ Inversion/power S-boxes [N93,K93]. ◮ Counting number of active S-boxes as a measure of security. ◮ Number of rounds. ◮ Wide trail strategy [DR97]. ◮ Nicer/Cleaner proofs of security. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 10/ 40 Intro History KATAN PRINTcipher Summary AES Competition ◮ Lots of new techniques and ideas. ◮ SPNs become the “leading” design. ◮ Boomerang, slide, related-key differentials, impossible differential cryptanalysis, . Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 11/ 40 Intro History KATAN PRINTcipher Summary Block Cipher Design in the 2000s ◮ Take AES. ◮ Tweak something. ◮ Do some analysis. ◮ Claim innovation. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 12/ 40 Intro History KATAN PRINTcipher Summary Block Cipher Design/Analysis in the 2000s (cont.) ◮ Heavy use of wide trail. ◮ Ideas such as using involution round functions for SPNs (Anubis, Khazad). ◮ Generalized Feistels (unbalanced/switching mechanism). ◮ Security against related-key attacks. ◮ Related-key variants of other attacks, related-subkey attacks. ◮ AES is no longer the most secure cipher ever (but still useful for any practical purpose∗). Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 13/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks Outline 1 Introduction Lightweight Cryptography Lightweight Cryptography Primitives 2 The History of Designing Block Ciphers 3 The KATAN/KTANTAN Family The KATAN/KTANTAN Block Ciphers The Security of the KATAN/KTANTAN Family Attacks on the KTANTAN Family 4 The PRINTcipher The PRINTcipher Family Attacks on PRINTcipher 5 Future of Cryptanalysis for Lightweight Crypto Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 14/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks The Basic Building Blocks ◮ Bivium (Trivium with two registers) in a block cipher mode. ◮ LFSR counts rounds (rather than a counter). ◮ Two round functions (the one to use is controlled by a bit of the LFSR). Joint work with Christophe De Canni`ere and Miroslav Kneˇzevi´c. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 15/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks KATAN/KTANTAN Structure −−−→ L1 6 ? ? - ∧ -⊕ ? ? - - ? - IR ∧ ⊕ ⊕ ka - kb ⊕ ⊕ ∧ 6 ⊕6 ∧ 6 6 6 ? L2 ←−−− Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 16/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks The LFSR Round Counter ◮ When counting the number of rounds, you can use a counter. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 17/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks The LFSR Round Counter ◮ When counting the number of rounds, you can use a counter. ◮ n-bit counter ⇒ n − 1-long carry chain. ◮ n-bit LFSR — a bit of control. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 17/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks The LFSR Round Counter ◮ When counting the number of rounds, you can use a counter. ◮ n-bit counter ⇒ n − 1-long carry chain. ◮ n-bit LFSR — a bit of control. ◮ Checking end conditions: overflow in counter (carry chain longer) or special internal state (LFSR/counter). ◮ Another advantage: a stream of bits which is “more random”. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 17/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks Two Round Functions ◮ IR is a bit which defines which of the two round functions to use. ◮ It toggles between two functions. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 18/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks Two Round Functions ◮ IR is a bit which defines which of the two round functions to use. ◮ It toggles between two functions. ◮ Prevents any slide attacks, and increases diffusion. ◮ Uses the MSB of from the LFSR to pick the function. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 18/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks The KATAN Block Ciphers ◮ KATAN has 3 flavors: KATAN-32, KATAN-48, KATAN-64. ◮ Block size: 32/48/64 bits. ◮ Key size: 80 bits. ◮ Share the same key schedule algorithm, and the only difference in the encryption — tap positions, and the number of times the update is done every round. ◮ Share same number of rounds — 254 (LFSR of 8 positions). Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 19/ 40 Intro History KATAN PRINTcipher Summary KATAN Security Attacks Key Schedule for KATAN ◮ Key is loaded into an 80-bit LFSR. ◮ Each round, the LFSR is clocked twice, and two bits are selected ka and kb. ◮ (Polynomial: x 80 + x 61 + x 50 + x 13 + 1). Orr Dunkelman A Somewhat Historic